diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -3099,6 +3099,12 @@
         protocol_mappers:
           - "%{alias('keycloak::resources::protocol_mappers::audience')}"
           - "%{alias('keycloak::resources::protocol_mappers::groups')}"
+      hedgedoc:
+        settings:
+          redirect_uris:
+            # Should match letsencrypt::certificates.hedgedoc.domains
+            - https://hedgedoc.softwareheritage.org/*
+          secret: "%{alias('keycloak::clients::hedgedoc::secret')}"
   SoftwareHeritageStaging:
     settings:
       display_name: Software Heritage (Staging)
diff --git a/site-modules/profile/manifests/keycloak/resources.pp b/site-modules/profile/manifests/keycloak/resources.pp
--- a/site-modules/profile/manifests/keycloak/resources.pp
+++ b/site-modules/profile/manifests/keycloak/resources.pp
@@ -66,6 +66,24 @@
       }
     }
 
+    $client_scopes = pick($realm_data['client_scopes'], {})
+    $realm_client_scope_common_settings = deep_merge(
+      $client_scope_common_settings,
+      pick($realm_data['client_scope_settings'], {})
+    )
+    $client_scopes.each |$client_scope_name, $client_scope_data| {
+      $_local_client_scope_settings = pick($client_scope_data['settings'], {})
+      $_full_client_scope_settings = deep_merge($realm_client_scope_common_settings, $_local_client_scope_settings)
+
+      $client_scope_id = fqdn_uuid("${realm_name}.${client_scope_name}")
+
+      keycloak_client_scope {"${client_scope_name} on ${realm_name}":
+        ensure => present,
+        id => $client_scope_id,
+        *  => $_full_client_scope_settings,
+      }
+    }
+
     $clients = pick($realm_data['clients'], {})
     $realm_client_common_settings = deep_merge($client_common_settings,
                                                pick($realm_data['client_settings'], {}))